WordPress Permissions: Fixing File and Folder Uploads Permissions

Dec 24, 2020

WordPress Permissions: Fixing File and Folder Uploads Permissions

Dec 24, 2020

When thinking about WordPress security, people rarely think about File Permissions. Most of the time, you think about installing a security plugin and calling it a day. And that’s a great mindset to have, but there are other considerations to be mindful of. 

Easily access files and folders are vulnerabilities that hackers can exploit, although in our experience this is rarely the case. Hackers tend to use other methods to gain control of your website. Nevertheless, it is good practice to have WordPress Permissions for files and folders locked down. 

Or perhaps security is far from your mind, and you are here because you see an error, “wordpress you do not have sufficient permissions to access this page”, while uploading a file. That too is caused by incorrect file permissions. 

Either way, by the end of this article, you’ll learn not just how to set proper file permissions but also which files are important enough to require restricted access.

Before you make any changes though, create a backup of your website. File permissions can be tricky things to tinker with. 

What are WordPress file permissions?

File permissions are a set of instructions that dictate who can access and modify WordPress files and folders. You can change permissions to give or restrict users from accessing files and folders. 

For the purposes of this article, we will be using the term ‘user’ to denote a person or collection of people who interact with files and folders. This is different from the WordPress users where we talk about the account and access privileges, and also distinct from the generic synonym for website visitors.

There are 3 types of users: User, Group and World; and 3 types of permissions: Read, Write, and Execute.

Who are these users, and what permissions are we talking about exactly?

  • World – Anyone on the internet
  • Group – A set of people with user roles like editors, contributors, subscribers, etc
  • User – WordPress administrator

change permission user group world

WordPress administrators (i.e. Users) can dictate what the World and Group can access and modify. 

Now coming to permission, all users will be granted 3 different types of permissions:

  • Read – They can only view the file’s contents
  • Write – They can modify the content of the file 
  • Execute – They can run codes in the file

read, write, execute

Let’s say, you want to grant your editors access to the wp-config.php file. They need to view the file occasionally but you don’t want them to modify it. It’s a crucial WordPress file and the smallest mistake can break your website.

So, you’d offer your editors (i.e. Group) access to Read the file. Nothing else. 

change permission group

How to set proper WordPress permissions?

Important: You are going to access the backend of your site and modify crucial WordPress files. Therefore, you absolutely need to take a complete backup of your website. If you do end up making a mistake, you can quickly restore your website to normal. 

There are two ways in which you can change file permissions. 

  1. Change WordPress file & folder permissions using cPanel
  2. Change WordPress file & folder permissions using FTP

Both methods will work the same way, regardless of which web host you use. However, there are web hosts who do not allow cPanel access; in which case you will need to use FTP. 

1. Change WordPress permissions using cPanel

Step 1: Log in to your web hosting account and navigate to the cPanel > File Manager.

shared hosting cpanel

Step 2: Next, find the public_html folder. This is where your WordPress website is stored.

public_html folder

Step 3: Find the folders (also called directory) we have listed below, right-click, and choose Change Permissions

change permission file manager

Step 4: Next, fix WordPress permissions by following the instruction below –

  • Folder: wp-admin
    • Permissions:
      • Group and World – Read, Execute
      • User – Read, Write, Execute
  • Folder: wp-includes
    • Permissions:
      • Group and World – Read, Execute
      • User – Read, Write, Execute
  • Folder: wp-content
    • Permissions:
      • Group and World – Read, Execute
      • User – Read, Write, Execute
  • Folder: wp-content/themes
    • Permissions:
      • Group and World – Read, Execute
      • User – Read, Write, Execute
  • Folder: wp-content/plugins
    • Permissions:
      • Group and World – Read, Execute
      • User – Read, Write, Execute
  • Folder: wp-content/uploads
    • Permissions:
      • Group and World – Read, Execute
      • User – Read, Write, Execute
  • Folder: wp-config.php
    • Permissions:
      • Group and World – Read
      • User – Read, Write
  • Folder: .htaccess
    • Permissions:
      • Group and World – Read
      • User – Read, Write

change permissions file manager

2. Change WordPress permissions using FTP

Step 1: Download and install Filezilla into your local computer. 

Step 2: Enter your FTP credentials and select Quickconnect.

If you don’t know what your FTP credentials are, ask your web host provider or find it yourself with the help of this article and these videos.

filezilla connect

Step 3: When the connection is made, files and folders will start populating in the right panel on Filezilla. Select the public_html folder. 

public_html ftp

The public_html folder contains your WordPress website, and so all your WordPress files and folders will start appearing in the panel below. 

Step 4: Find the folders we have listed below, right-click, and choose Change Permissions. Next, set the permissions for WordPress we have recommended below.

change permission ftp

  • Folder: wp-admin
    • Permissions:
      • Group and World – Read, Execute
      • User – Read, Write, Execute
  • Folder: wp-includes
    • Permissions:
      • Group and World – Read, Execute
      • User – Read, Write, Execute
  • Folder: wp-content
    • Permissions:
      • Group and World – Read, Execute
      • User – Read, Write, Execute
  • Folder: wp-content/themes
    • Permissions:
      • Group and World – Read, Execute
      • User – Read, Write, Execute
  • Folder: wp-content/plugins
    • Permissions:
      • Group and World – Read, Execute
      • User – Read, Write, Execute
  • Folder: wp-content/uploads
    • Permissions:
      • Group and World – Read, Execute
      • User – Read, Write, Execute
  • Folder: wp-config.php
    • Permissions:
      • Group and World – Read
      • User – Read, Write
  • Folder: .htaccess
    • Permissions:
      • Group and World – Read
      • User – Read, Write

change file permission ftp

The reasoning behind our recommended WordPress file permissions

Before you start modifying the file permissions, it’s important to understand which files and folders need protection and why. 

WordPress websites are made of many files and folders. The most important ones are: 

  • wp-admin
  • wp-includes
  • wp-content
    • wp-content/themes
    • wp-content/plugins
    • wp-content/uploads
  • wp-config
  • .htaccess

These files and folders are extremely crucial for your website because they contain data that enables your website to function properly. 

For instance, the wp-config file contains information about your database like the database name, password, etc. Anyone who has access to read wp-config can use it to break into your database. Therefore, only trusted users should be allowed to read and modify the wp-config file, and others like it. 

Website security should never be taken lightly, and the best way to protect your website is by installing a security plugin. Check out MalCare, the best-in-class security plugin with a firewall, scanner and many more features to ensure your website remains safe. 

Common issues caused by incorrect or bad file permissions

Unsurprisingly, incorrect or bad WP folder permissions can lead to errors. In fact, if an experienced WordPress developer set up your website for you, you probably do not need to alter the file permissions. However, if you are experiencing issues, then perhaps this section can help you resolve them. 

Ideally, if you had a website backup, you wouldn’t need to troubleshoot errors like these. You could rollback to the last working version and restore your website’s functionality in an instant.

We’ve described the three most common errors caused by incorrect WordPress folder permissions below. To resolve them, you will need to either use cPanel or FTP to access the backend of your website. There are tutorials above to set permissions for all files; you can use the same methodology to apply these fixes as well. 

1. Unable to install a plugin or theme

If your file permissions are incorrect, you’ll find it challenging to install plugins and themes. You are likely to come across an error message like 

‘The update cannot be installed because we will be unable to copy some files. This is usually due to inconsistent file permissions.’ or ‘Missing temporary folder.’

The update cannot be installed

Plugins and themes are stored in the wp-content/plugin and wp-content/theme folders, respectively. 

To be able to install plugins and themes, both folders have to be writable. Go to the backend and set the following folder permissions for WordPress:

  • Folder: wp-content/themes
    • Permissions:
      • Group and World – Read, Execute
      • User – Read, Write, Execute
  • Folder: wp-content/plugins
    • Permissions:
      • Group and World – Read, Execute
      • User – Read, Write, Execute

2. Unable to upload a media file 

When trying to upload an image or a video, you are encountering this error – ‘Unable to create directory wp-content/uploads.’

This means that your wp-content/uploads folder is not writable. It is where all your images and videos are stored. You need to set the following permissions:

  • Folder: wp-content/uploads
    • Permissions:
      • Group and World – Read, Execute
      • User – Read, Write, Execute

3. Your cache plugins is throwing an error

When trying to clear the cache, you may encounter this – Error: Your cache directory () did not exist and couldn’t be created by the web server. Check permissions.

When you install a cache plugin on your site, it creates files which are then stored in the wp-content/cache folder. With incorrect permissions, this plugin will run into the above error. Go ahead and set the following permission.

  • Folder: wp-content/cache
    • Permissions:
      • Group and World – Read, Execute
      • User – Read, Write, Execute

4. What is the proper permission for the wp-config.php file?

The proper permission for the wp-config.php file is:

  • Group and World – Read
  • User – Read, Write

wp-config.php is one of the most important WordPress files. Unlike the Uploads folder, for example, you don’t need to change wp-config.php often. Plus, an attacker could locate an operly readable wp-config.php file and extract database login credentials from there to inject malware. Hence it makes sense to remove write permissions for Group, and read and write permissions for World. 

Was your wp-config file open to read? Then your website was vulnerable to attack. Scan your website now to check if malware has crept in without your knowledge.  

What next?

While setting proper file permission for WordPress is helpful it won’t secure your website in any major way. As we said earlier, a majority of hack attacks don’t need access to your files and folders.

The surest way to ensure that your website is secure is to install a security plugin like MalCare. Hackers can’t even reach your website without first encountering MalCare’s firewall. Moreover, it protects your website on different fronts. For instance, your login page is a favorite target among hackers. The plugin will protect this page from brute force attacks. 

Like to give MalCare a spin? Sign up now.

FAQs

1. What if you can’t change the permissions?

If you can’t change your WordPress file permissions, then you need to talk to your web host. Earlier, we mentioned that managed web host services like WP Engine and Pantheon restrict access to important WordPress files and folders. 

You won’t face any such problems in shared hosting or VPS hosting. That said, having such control over your server is a double-edged sword. Incorrect permissions can make your website insecure.

2. In a shared hosting environment, won’t restricting permissions prevent other users from accessing your files?

In a shared hosting environment, other users can’t view your files and folders. But this is not because of WordPress permissions. In shared hosting, while there are multiple websites on the same server, each website operates in an extremely restricted environment. One website won’t even know if there is another website on the same server. Hence, one user cannot peek into the files and folders of another website.  

3. What are the proper permissions for files like php.ini and php.cgi?

The proper permission for files like php.ini and php.cgi is to make them unreadable. You don’t really need to access or make modifications to these files. That being said, there are certain caching or firewall plugins that need access to these files to be able to operate properly. Without correct WordPress directory permissions, those plugins will malfunction.  

4. What are the proper permissions for the Uploads file?

The proper permission for the uploads folder is: 

  • Group and World – Read, Execute
  • User – Read, Write, Execute

All media files go into this folder. You need to ensure that it’s writable.

5. What are these numbers 644, 755, etc?

These numbers represent different file permissions on WordPress. 

Here’s what they mean:

0 – Means no access 
1 – Means execute 
2 – Means write 
4 – Means read

You can combine these numbers like this:

2+1 – 3 meaning write and execute 
4+1 – 5 meaning read and execute 
4+2 – 6 meaning read and write 
4+3 – 7 meaning read, write and execute

Let’s look at an example. Say you want to set permissions for the wp-content/uploads folder. You’d want the Group and World to read and execute. The User to read, write, and execute. This is how the permissions would look in the number format:

  • Group – Read, Execute – 4+1: 5
  • World – Read, Execute – 4+1: 5
  • User – Read, Write, Execute – 4+2+1: 7

change permission tab

When speaking of file permissions, the number system is a commonly used shorthand across all development environments. 

6. Why not make all files and folders read-only? 

In theory, making all your files and folders read-only will reduce the risk of making mistakes or getting hacked. Right? And to a certain extent, yes, that approach works.  

There are certain types of hacks like Remote Code Execution which can be prevented by taking the read-only approach. 

In fact, web host services like WP Engine and Pantheon restrict access to important WordPress files and folders to protect websites from hack attacks. Pantheon only keeps the wp-content/uploads folder writable.

That said, changing file permissions will do little to protect your website from a hack attack. In most cases, hackers don’t need file permission to be able to hack your site. Hence, changing file permission will not save you from WordPress hacks like XSS attacks, and SQL injection attacks, which constitute the vast majority of attacks.

Another major downside of going read-only is that you won’t be able to add or update plugins, themes, and the WordPress core. You won’t be able to upload any new media files. 

Restricting access to files and folders can have many unintended consequences. Caching plugins and even firewalls need access to some of the files we listed above. Without the correct permissions firewalls and cache plugins will fail to function properly.

wordpress permissions
2
0
Would love your thoughts, please comment.x
()
x
Share via
Copy link
Powered by Social Snap